WHY TRADITIONAL SPAM FILTERS ARE FAILING AGAINST MODERN PHISHING
84.2% of phishing emails pass DMARC authentication. Learn why secure email gateways can't stop modern attacks, how attackers exploit compromised accounts, and what layered defenses actually work.
Direct answer
Traditional spam filters are failing because modern phishing emails are designed to pass authentication checks, not bypass them. According to Egress's 2024 Phishing Threat Trends Report, 84.2% of phishing attacks passed DMARC authentication. Attackers now send malicious emails from compromised legitimate accounts rather than spoofed domains, rendering signature-based detection and authentication protocols ineffective. The FBI reported $16.6 billion in cybercrime losses in 2024, a 33% increase from 2023, with phishing remaining the most reported crime category. Organizations relying solely on traditional email security are increasingly vulnerable to attacks that pass every technical check.
What are traditional spam filters and how do they work?
Traditional spam filters, commonly known as Secure Email Gateways (SEGs), are network perimeter defenses that intercept and analyze incoming emails before they reach user inboxes. These tools have been the foundation of email security for decades, and most organizations have some form of SEG in place, whether a dedicated appliance, a cloud service, or built-in protection from email providers like Microsoft and Google.
SEGs rely primarily on three detection methods that were designed for an earlier era of email threats.
Signature-based detection works by matching incoming emails against databases of known malicious content. When security researchers identify a phishing campaign, they create signatures based on specific indicators: the sender address, subject line patterns, malicious URLs, or attachment hashes. The SEG then blocks any email matching these signatures. This approach is effective against mass-distributed campaigns using identical content, but fails against novel attacks or campaigns that modify their content slightly between sends.
Reputation-based filtering evaluates the sending domain and IP address against databases of known bad actors. Domains that have been used to send spam or phishing accumulate negative reputation scores, and emails from these sources are blocked or quarantined. This works well against attackers using freshly registered domains or known malicious infrastructure, but provides no protection when attackers use established, reputable domains.
Authentication protocols including SPF, DKIM, and DMARC verify that an email genuinely comes from the domain it claims to represent. SPF (Sender Policy Framework) checks whether the sending server's IP address is authorized to send mail for that domain. DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify the email hasn't been altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) combines these checks and tells receiving servers what to do when authentication fails.
When these protocols work together correctly, they can prevent direct domain spoofing, where an attacker forges your company's exact email address to send malicious messages. This was a significant threat a decade ago, and authentication protocols have been effective against it.
The fundamental problem is that attackers have adapted. They no longer need to spoof domains when they can simply compromise legitimate accounts and send emails that pass every authentication check honestly.
Why does traditional Email security failure matter?
The gap between traditional defenses and modern attack techniques is widening, and the consequences are measured in billions of dollars and compromised organizations.
The financial impact is accelerating
The FBI's 2024 Internet Crime Complaint Center (IC3) Report documented the most expensive year for cybercrime on record. Total reported losses reached $16.6 billion, representing a 33% increase from the $12.5 billion reported in 2023. The average loss per incident jumped from $14,197 to $19,372, indicating that attacks are not only more frequent but more damaging when they succeed.
Phishing remained the most reported cybercrime category with 193,407 complaints filed. While this number actually decreased from 298,878 complaints in 2023, the financial impact tells a different story. Phishing losses nearly quadrupled from $18.7 million in 2023 to $70 million in 2024. Attackers are running fewer, more targeted campaigns with higher conversion rates.
Business email compromise, which typically begins with a phishing attack, caused $2.77 billion in reported losses in 2024 alone. Over the past three years, BEC has accounted for nearly $8.5 billion in losses reported to the FBI. These attacks succeed because they exploit trust relationships and often pass all technical security checks.
Authentication is not providing the protection organizations expect
Egress research reveals the core problem that makes traditional defenses inadequate. In 2024, 84.2% of phishing attacks passed DMARC authentication. This statistic fundamentally undermines the assumption that authentication protocols protect against phishing.
The reason is straightforward: attackers are not failing authentication checks; they are passing them legitimately. When a phishing email comes from a compromised legitimate account, DMARC validates that the email genuinely came from that domain because it did. The authentication is technically correct. The intent behind the email is malicious.
Additional Egress findings paint a concerning picture of SEG effectiveness:
The first quarter of 2024 saw a 52.2% increase in attacks that bypassed SEG detection entirely. These were not edge cases or sophisticated nation-state attacks. They were common phishing campaigns that SEGs simply could not identify as threats.
Of these successful bypasses, 68.4% passed authentication checks including DMARC. The attacks were not exploiting authentication weaknesses; they were exploiting the fundamental limitation that authentication verifies identity, not intent.
44% of phishing emails were sent from compromised accounts, meaning they came from real users on real domains with valid authentication and positive reputation scores. 8% of these originated from within the target organization's own supply chain, leveraging existing business relationships and trust.
Organizations recognize the problem
Survey data from Egress's Email Security Risk Report shows that security professionals understand their current tools are inadequate. 94% of organizations fell victim to phishing attacks in 2024, up from 92% in 2023. Despite investments in email security, the needle is moving in the wrong direction.
91% of cybersecurity leaders expressed frustration with their secure email gateway. 87% are considering replacing their SEG with Microsoft 365 native protection combined with Integrated Cloud Email Security (ICES) solutions, or have already done so.
The frustration stems from a fundamental mismatch between what SEGs were designed to do and what modern threats require. SEGs excel at blocking known bad content from known bad sources. Modern phishing comes from unknown bad content from known good sources.
How do phishing attacks bypass traditional filters?
Understanding the attack chain reveals why authentication-based security provides a false sense of protection. Modern phishing attacks exploit the fundamental limitations of perimeter security through a predictable and repeatable sequence.
Step 1: Initial account compromise
Every authentication-bypassing attack begins with access to a legitimate email account. Attackers acquire this access through multiple methods, each exploiting different security gaps.
Credential stuffing uses username and password combinations from previous data breaches. When users reuse passwords across services, a breach at one company provides access to their accounts everywhere. Automated tools test these credentials against email services at scale.
Targeted phishing harvests credentials through fake login pages. An attacker sends an email claiming the recipient needs to verify their account, reset their password, or review a shared document. The link leads to a convincing replica of a legitimate login page. Once the victim enters their credentials, the attacker has access.
Social engineering targets IT help desks and support staff. Attackers pose as employees who have forgotten their passwords or been locked out of their accounts. With enough research into the organization, they can answer security questions and convince support staff to reset credentials or disable multi-factor authentication.
Business email compromise itself can be the entry point. An attacker who successfully tricks an employee into sending money can use that interaction to build rapport and eventually extract credentials or access to systems.
Step 2: Legitimate authentication establishment
Once the attacker controls a real email account, every technical security check becomes meaningless. The account they control has valid SPF records because the emails are genuinely sent from authorized servers. The DKIM signatures are valid because the emails are genuinely signed by the domain's keys. DMARC alignment passes because the sending domain and from address genuinely match.
From a technical authentication perspective, these emails are indistinguishable from legitimate business communication. They are, in fact, technically legitimate. They are sent from real accounts on real domains through real email infrastructure. The only thing that makes them malicious is the intent of the person controlling the account.
Step 3: Trust and reputation exploitation
The compromised account typically has an established sending history. It has communicated with the target before, or belongs to an organization the target does business with. Reputation-based filtering sees a known sender from a trusted domain with valid authentication and positive historical indicators.
This is precisely the profile SEGs use to identify legitimate email. The account has sent non-malicious messages in the past. The domain has a clean reputation. The authentication passes. Every signal indicates trustworthy communication.
When the attack originates from within the target's supply chain, the trust exploitation is even more effective. The email appears to come from a vendor, partner, or customer with an established business relationship. The recipient has likely received and acted on legitimate requests from this sender before.
Step 4: Payload delivery and social engineering
With technical barriers cleared, the attacker delivers their payload. Modern phishing payloads have evolved significantly from the obvious malware attachments of previous years.
Hyperlinks to credential harvesting sites appear in 45% of phishing emails. These links lead to convincing replicas of legitimate login pages for Microsoft 365, Google Workspace, banking services, or internal applications. The pages are often hosted on compromised legitimate websites or cloud services, further evading URL reputation filtering.
Pure social engineering with no malicious technical payload accounts for 19% of phishing attacks. These emails simply make fraudulent requests: change this payment destination, purchase gift cards for a client, share confidential information. There is no malware, no malicious link, nothing for technical tools to detect. The attack is entirely psychological.
QR code phishing (quishing) has risen dramatically from 0.8% of attacks in 2021 to 10.8% in 2024. QR codes obscure the destination URL, making it impossible for users to hover and preview where a link leads. They also bypass many URL scanning tools that analyze clickable links but ignore image content.
Malicious attachments still account for 35.7% of attacks, though this has declined from 72.7% in 2021. Attackers have learned that links and social engineering are more effective at evading detection.
Step 5: Credential harvesting and lateral movement
When the attack succeeds, the victim's credentials are captured or they comply with the fraudulent request. If credentials are harvested, the cycle begins again. The newly compromised account becomes another launching platform for attacks against that victim's contacts, customers, and colleagues.
This creates chains of legitimate-looking attacks that can spread through organizations and across business relationships. Each compromised account provides access to new targets who trust communications from that sender.
The FBI's IC3 report notes that this pattern is particularly damaging in business email compromise. An attacker who compromises one account in a financial transaction chain can redirect payments, modify banking details, or intercept legitimate invoices. The communications appear to come from trusted parties, pass all authentication checks, and reference real ongoing business relationships.
Real case: supply chain account compromise
The theoretical attack chain plays out in documented incidents with significant financial consequences. Egress's 2024 research identified a particularly concerning pattern: 8% of phishing emails originated from compromised accounts within the target organization's own supply chain.
These attacks are devastating because they exploit established business relationships and communication patterns. When a vendor's account is compromised, the attacker gains access to ongoing conversations, invoice templates, payment schedules, and communication styles. They can insert themselves into legitimate business processes with a level of authenticity that traditional security cannot distinguish from normal operations.
In documented scenarios, attackers compromised vendor email accounts and used them to send fraudulent invoice modification requests. The emails came from the vendor's actual domain, were sent through the vendor's actual email servers, and passed DMARC authentication because they genuinely originated from authorized infrastructure.
The recipients had no technical indicators of compromise. The sender address matched previous legitimate communications. The domain reputation was positive based on years of legitimate business correspondence. The authentication status showed valid SPF, DKIM, and DMARC. Email headers revealed nothing suspicious because there was nothing technically suspicious to reveal.
Traditional filters saw a known vendor sending a routine business communication about an existing invoice. The content referenced real purchase orders, real products, and real ongoing business relationships that the attacker learned about by reading the compromised account's email history.
Only behavioral analysis examining the unusual nature of the request, the timing anomalies, or linguistic patterns inconsistent with the legitimate sender could have flagged these communications as potentially fraudulent. Signature-based detection had no signatures to match. Reputation filtering saw a reputable sender. Authentication confirmed the email was genuine. The attack passed every traditional check.
How can you detect filter-evading phishing?
When technical authentication provides false assurance, detection must shift to content analysis, behavioral patterns, and human judgment. Organizations and individuals need to develop detection capabilities that do not rely solely on whether an email passed authentication.
Examine the request, not just the sender
Legitimate authentication does not guarantee legitimate intent. This is the fundamental mindset shift required to detect modern phishing. Every email requesting payment changes, credential entry, urgent action, or sensitive information should be scrutinized regardless of who sent it.
Ask whether the request is consistent with normal business processes. Question whether this sender typically makes this type of request. Consider whether the timing makes sense. Evaluate whether the urgency is justified or artificially manufactured.
Recognize urgency and pressure as warning signs
Phishing emails have become more sophisticated in their social engineering. Egress research shows phishing emails are now over three times longer than they were in 2021, with more detailed and convincing narratives. This increased length reflects the investment attackers make in crafting persuasive content.
Artificial deadlines, threats of account closure, claims of security incidents requiring immediate action, and requests for secrecy are consistent red flags across virtually all phishing variants. Legitimate business communications rarely demand immediate action with threatened consequences for delay.
Verify through separate channels before acting
Before acting on any financial request, credential request, or sensitive information request, verify through an independent channel. Call the supposed sender using a phone number you already have on file, not a number provided in the suspicious email. Send a separate email asking for confirmation. Walk down the hall and ask in person.
This verification step is the single most effective defense against business email compromise. It defeats attacks regardless of how sophisticated the technical evasion or how convincing the social engineering. If the request is legitimate, verification costs a few minutes. If the request is fraudulent, verification prevents significant losses.
Inspect link destinations before clicking
Hover over hyperlinks to preview the actual destination URL. Legitimate services do not ask you to log in through unfamiliar domains. A Microsoft login request should lead to microsoft.com or your organization's configured authentication endpoint, not a lookalike domain or a URL hosted on a cloud service.
Be particularly cautious of shortened URLs, redirects through legitimate services, and links embedded in images. Attackers use these techniques specifically to obscure malicious destinations.
Treat QR codes with suspicion
QR code phishing has grown dramatically because codes effectively hide malicious URLs. Users cannot hover over a QR code to preview where it leads. Many URL scanning tools do not analyze QR code contents.
Treat any QR code in an email with heightened suspicion, particularly if it requests you to log in, verify your identity, or provide payment information. When possible, navigate directly to the relevant service rather than scanning provided codes.
Watch for multi-channel attack patterns
Attackers increasingly use multi-channel approaches to increase credibility and pressure. Microsoft Teams saw a 104.4% increase as a second-step attack vector in 2024. Slack, SMS, phone calls, and video conferences are also used to follow up on initial phishing emails.
If an email is followed by unusual contact through messaging apps, video calls, or phone, treat both communications with heightened suspicion. The multi-channel approach is designed to create artificial urgency and prevent you from taking time to verify.
What prevention steps should organizations take?
Addressing the authentication gap requires layered defenses that go beyond perimeter security. Organizations must accept that traditional SEGs, while still useful for blocking known threats, cannot protect against the majority of modern phishing attacks.
Deploy behavioral AI detection
Integrated Cloud Email Security (ICES) solutions represent the current best practice for detecting sophisticated phishing. Unlike SEGs that sit at the network perimeter and filter based on signatures and authentication, ICES solutions integrate directly with email platforms and analyze behavioral patterns.
These tools examine email content for linguistic patterns inconsistent with normal communication, requests that deviate from established business processes, and social engineering indicators. They analyze sender behavior to identify anomalies even from legitimate accounts. They evaluate relationships between senders and recipients to detect unusual communication patterns.
Critically, ICES solutions can detect threats from compromised legitimate accounts that SEGs miss entirely. When an email passes every authentication check but contains an unusual request, behavioral AI can flag it for review.
Implement strict financial verification procedures
No single email should authorize significant financial transactions. Organizations should require out-of-band confirmation for wire transfers, payment method changes, and vendor modifications.
Out-of-band means verification through a completely separate communication channel from the one that delivered the request. If the request came by email, verify by phone. If the request came by phone, verify by email to a known address. Do not use contact information provided in the suspicious request.
Establish clear thresholds for verification requirements. Any transaction above a certain dollar amount requires phone verification to a known contact. Any change to payment instructions requires verification regardless of amount. Any request from a new contact requires verification through an established organizational contact.
Enable Advanced Threat Protection Features
Microsoft 365 and Google Workspace include security features beyond basic spam filtering. Safe Links and Safe Attachments in Microsoft 365 scan URLs and files at time of click rather than just at delivery. Google Workspace includes phishing and malware protection that analyzes email content beyond authentication.
These native features should be enabled and configured appropriately, but they are not sufficient alone. Dedicated security layers provide deeper analysis and catch threats that native protection misses. The 87% of security leaders considering ICES solutions are responding to real limitations in native and SEG protection.
Prioritize security awareness training
With 19% of phishing attacks relying solely on social engineering without malicious technical payloads, human judgment remains critical. No technical tool can detect a convincing email that simply asks for something fraudulent without any malicious content.
Training should focus specifically on business email compromise scenarios, payment fraud, and credential harvesting. Generic phishing awareness that teaches employees to look for misspellings and suspicious sender addresses does not address attacks from legitimate accounts with professional content.
Train employees that authentication indicators do not guarantee safety. A message can pass every technical check and still be malicious. The request matters more than the sender verification.
Monitor for account compromise indicators
When attacks begin with account compromise, detecting that compromise is the first line of defense. Watch for unusual login locations, particularly from countries where the organization does not operate. Monitor for the creation of mail forwarding rules that send copies of messages to external addresses. Look for inbox rules that delete or hide incoming messages, which attackers use to prevent victims from seeing replies to their fraudulent messages.
Alert on impossible travel patterns where a user logs in from two distant geographic locations within a timeframe that makes physical travel impossible. This pattern often indicates credential compromise.
Establish supply chain security protocols
Given that 8% of phishing emails in Egress's research originated from compromised supply chain accounts, vendor relationships require specific security attention.
Maintain verified contact information for key vendor personnel that is stored outside of email. If a vendor sends unusual requests, verify through these established contacts. Do not rely on contact information provided in the suspicious email.
Consider requiring vendors to meet specific security standards as a condition of the business relationship. Multi-factor authentication, security awareness training, and incident notification requirements can reduce the likelihood of vendor account compromise affecting your organization.
What should you do if a phishing Email bypasses your filters?
Even with layered defenses, some attacks will succeed. Rapid response limits damage and prevents the compromised account from being used to attack others.
Immediate containment
If an employee clicked a link or entered credentials, act immediately. Reset their password and revoke all active sessions. This prevents the attacker from using captured credentials even if they have not yet exploited them.
Check the account for signs of compromise: unauthorized mail forwarding rules, inbox rules that delete or hide messages, unusual sent messages. Attackers often configure forwarding to receive copies of all incoming mail, allowing them to intercept responses to their fraudulent messages.
If the employee entered credentials on a phishing page, assume those credentials are compromised for any other service where they may have been reused. Prompt password changes across services, and use this as an opportunity to enforce unique passwords and multi-factor authentication.
Notification and communication
If the compromised account was used to send phishing to others, particularly customers, partners, or vendors, notify them immediately. The sooner they know to disregard fraudulent messages, the less likely subsequent attacks will succeed.
Internal communication should inform relevant stakeholders without creating panic. IT and security teams need to know the scope of compromise. Management needs to understand potential business impact. Other employees need to be alert for related attacks.
Evidence preservation
Document the email headers, URLs accessed, timeline of events, and any actions taken. This information is essential for incident response investigation and may be required for law enforcement or insurance claims.
Preserve the original phishing email with full headers. Screenshot the phishing page if possible. Record what credentials or information may have been exposed. Document the timeline from receipt through detection and response.
Regulatory and law enforcement reporting
File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. While individual reports may not generate immediate investigation, aggregate data helps law enforcement identify patterns and prioritize resources.
For business email compromise involving wire transfers, contact your financial institution immediately. The FBI's Recovery Asset Team achieved a 66% success rate in freezing fraudulent transfers in 2024, recovering over $561 million. Speed is critical; once funds are moved through multiple accounts or converted to cryptocurrency, recovery becomes extremely difficult.
Depending on your industry and the nature of compromised information, regulatory notification requirements may apply. HIPAA, GDPR, state breach notification laws, and industry-specific regulations have varying requirements for timing and scope of notification.
Post-incident security review
Every successful phishing attack is an opportunity to improve defenses. Determine how the initial compromise occurred. Was it credential reuse from a data breach? A successful previous phishing attack? Social engineering of support staff? Weak or missing multi-factor authentication?
Identify what detection failed. Why did the email reach the user? Why did the user engage with it? What behavioral or technical indicators were missed? How long did the attack go undetected?
Use the findings to improve defenses. Close the specific gap that enabled this attack, but also look for similar gaps that could enable related attacks.
Frequently Asked Questions
Why doesn't DMARC stop phishing if it's configured correctly?
DMARC only verifies that an email comes from an authorized sender for that domain. It confirms that the domain in the "From" address matches the domain that actually sent the message, and that the sending server was authorized. When attackers compromise legitimate accounts, they become authorized senders. DMARC cannot detect that the person controlling the account has malicious intent. This is why Egress found 84.2% of phishing emails pass DMARC checks. The protocol is working correctly; it's just solving a different problem than the one attackers are exploiting.
Are secure email gateways still useful or should we replace them entirely?
SEGs remain valuable for blocking known threats, spam, malware with recognized signatures, and obvious spoofing attempts. They reduce the volume of obvious junk that would otherwise overwhelm users. However, SEGs are insufficient as a standalone defense against sophisticated phishing. Most security experts recommend supplementing SEGs with behavioral AI tools that analyze content and intent rather than just authentication status. The 87% of security leaders considering ICES solutions are not abandoning SEGs but layering additional detection capabilities on top of them.
How do attackers compromise legitimate accounts to send phishing?
Attackers use multiple methods depending on the target and their resources. Credential stuffing uses passwords from previous data breaches, exploiting password reuse across services. Phishing itself harvests credentials through fake login pages, creating a cycle where successful phishing enables future phishing. Social engineering targets IT help desks and support staff to reset passwords or disable security controls. Malware including keyloggers and information stealers captures credentials from infected devices. Business email compromise conversations can eventually extract enough information for account access. Once attackers control one account, they use it to target that account's contacts, who are more likely to trust communications from a known sender.
What is the difference between SEG and ICES solutions?
SEGs (Secure Email Gateways) sit at the network perimeter and filter emails based on signatures, reputation, and authentication before messages reach user inboxes. They are effective against known threats from known malicious sources. ICES (Integrated Cloud Email Security) solutions integrate directly with email platforms like Microsoft 365 and Google Workspace, operating within the email environment rather than at the perimeter. They analyze behavioral patterns, linguistic cues, sender relationships, and anomalous activity to detect threats that pass authentication checks. ICES can identify compromised legitimate accounts by detecting requests that deviate from normal patterns, even when every technical indicator shows a legitimate sender.
How can small businesses protect themselves without enterprise security budgets?
Start with fundamentals that address the most common attack vectors. Enable multi-factor authentication on all email accounts; this single step prevents the majority of account compromise. Train employees to verify financial requests through phone calls to known numbers, not contact information provided in emails. Implement approval processes requiring multiple people to authorize wire transfers or payment changes. Use the security features built into Microsoft 365 or Google Workspace, which include substantial protection at no additional cost. Create a culture where verifying unusual requests is expected and encouraged rather than seen as distrustful or inefficient. These steps cost minimal money and address the attack patterns responsible for the largest financial losses.
Executive summary
Traditional spam filters are failing because they rely on authentication protocols that attackers now pass legitimately. Egress research shows 84.2% of phishing emails passed DMARC authentication in 2024, and 44% came from compromised legitimate accounts. The FBI documented $16.6 billion in cybercrime losses for 2024, a 33% increase from the previous year, with phishing losses nearly quadrupling to $70 million.
The core problem is architectural: SEGs verify sender identity, not sender intent. When attackers control real accounts with valid authentication and positive reputation, authentication becomes meaningless as a security signal. Every technical check passes. The email is genuine. Only the intent is malicious.
This is why 91% of security leaders express frustration with their SEG, and 87% are considering or have already implemented ICES solutions that analyze behavior rather than just authentication.
Organizations must layer behavioral AI detection on top of traditional filters. Train employees to verify unusual requests regardless of sender authentication. Implement strict out-of-band verification for financial transactions. Monitor for account compromise indicators. Establish supply chain security protocols for vendor relationships.
The email that passes every technical check may be the most dangerous one in your inbox. Authentication tells you who sent a message. It tells you nothing about whether you should trust what they are asking you to do.
Sources: FBI IC3 2024 Annual Report, Egress Phishing Threat Trends Report (April 2024), Egress Phishing Threat Trends Report (October 2024), Egress Email Security Risk Report 2024